CVE-2022-2228: 
GitLab vulnerability analysis and mitigation

Information exposure vulnerability (CVE-2022-2228) was discovered in GitLab Enterprise Edition affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. The vulnerability was discovered internally by the GitLab team and disclosed on June 30, 2022 (GitLab Release).

The vulnerability allows an attacker with appropriate access tokens to obtain CI variables in a group that uses IP-based access restrictions, even when the GitLab Runner is calling from outside the allowed IP range. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD).

The vulnerability could lead to unauthorized access to CI variables, potentially exposing sensitive information stored in group CI variables even when IP-based access restrictions are in place (GitLab Release).

The vulnerability has been fixed in GitLab versions 14.10.5, 15.0.4, and 15.1.1. Users are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com was already running the patched version at the time of disclosure (GitLab Release).